From 1dc99c9d468cfe2a7f7286a8969c586f8740bb9f Mon Sep 17 00:00:00 2001 From: John Hodrien Date: Fri, 29 Jul 2011 10:04:05 -0400 Subject: Add vetoed_shells option There may be users in LDAP that have a valid but unwelcome shell set in their account. This adds a blacklist of shells that should always be replaced by the fallback_shell. Signed-off-by: Stephen Gallagher --- src/confdb/confdb.h | 1 + src/config/SSSDConfig.py | 1 + src/man/sssd.conf.5.xml | 8 ++++++++ src/responder/nss/nsssrv.c | 4 ++++ src/responder/nss/nsssrv.h | 1 + src/responder/nss/nsssrv_cmd.c | 13 ++++++++++++- 6 files changed, 27 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index c2ae9fcb..5e50991f 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -74,6 +74,7 @@ #define CONFDB_NSS_FILTER_GROUPS "filter_groups" #define CONFDB_NSS_PWFIELD "pwfield" #define CONFDB_NSS_OVERRIDE_HOMEDIR "override_homedir" +#define CONFDB_NSS_VETOED_SHELL "vetoed_shells" #define CONFDB_NSS_ALLOWED_SHELL "allowed_shells" #define CONFDB_NSS_SHELL_FALLBACK "shell_fallback" diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index 16d3d357..53bd14f0 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -60,6 +60,7 @@ option_strings = { 'pwfield' : _('The value of the password field the NSS provider should return'), 'override_homedir' : _('Override homedir value from the identity provider with this value'), 'allowed_shells' : _('The list of shells users are allowed to log in with'), + 'vetoed_shells' : _('The list of shells that will be vetoed, and replaced with the fallback shell'), 'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'), # [pam] diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index b4f38465..e0380556 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -423,6 +423,14 @@ + + vetoed_shells (string) + + + Replace any instance of these shells with the shell_fallback + + + shell_fallback (string) diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c index b9d548e4..ec2f0caf 100644 --- a/src/responder/nss/nsssrv.c +++ b/src/responder/nss/nsssrv.c @@ -188,6 +188,10 @@ static int nss_get_config(struct nss_ctx *nctx, &nctx->allowed_shells); if (ret != EOK && ret != ENOENT) goto done; + ret = confdb_get_string_as_list(cdb, nctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_VETOED_SHELL, + &nctx->vetoed_shells); + if (ret != EOK && ret != ENOENT) goto done; ret = nss_get_etc_shells(nctx, &nctx->etc_shells); if (ret != EOK) goto done; diff --git a/src/responder/nss/nsssrv.h b/src/responder/nss/nsssrv.h index f9aff566..01a2810c 100644 --- a/src/responder/nss/nsssrv.h +++ b/src/responder/nss/nsssrv.h @@ -60,6 +60,7 @@ struct nss_ctx { char *override_homedir; char **allowed_shells; + char **vetoed_shells; char **etc_shells; char *shell_fallback; }; diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c index 57eb9154..5dbd3ca7 100644 --- a/src/responder/nss/nsssrv_cmd.c +++ b/src/responder/nss/nsssrv_cmd.c @@ -314,7 +314,18 @@ static const char *get_shell_override(TALLOC_CTX *mem_ctx, user_shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL); if (!user_shell) return NULL; - if (!nctx->allowed_shells) return talloc_strdup(mem_ctx, user_shell); + if (!nctx->allowed_shells && !nctx->vetoed_shells) return talloc_strdup(mem_ctx, user_shell); + + if (nctx->vetoed_shells) + { + for (i=0; nctx->vetoed_shells[i]; i++) { + if (strcmp(nctx->vetoed_shells[i], user_shell) == 0) { + DEBUG(5, ("The shell '%s' is vetoed. " + "Using fallback\n", user_shell)); + return talloc_strdup(mem_ctx, nctx->shell_fallback); + } + } + } for (i=0; nctx->etc_shells[i]; i++) { if (strcmp(user_shell, nctx->etc_shells[i]) == 0) { -- cgit